Proxy authentication for a multiple core network device

ABSTRACT

The present invention is generally related to a network computing device including a first processor communicating with a second processor as a proxy for a client device when authenticating access privileges of the client device. The present invention may include more than two processors where at least one of the multiple processors may be optimized for performing one or more control functions and one or more other processors may be optimized for transferring data or administrating the transfer of data through a gateway or firewall.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is a continuation and claims the prioritybenefit of U.S. patent application Ser. No. 14/605,731 filed Jan. 26,2015, issuing as U.S. Pat. No. 9,584,516 on Feb. 28, 2017, thedisclosure of which is incorporated herein by reference.

BACKGROUND OF THE INVENTION

Field of the Invention

The present invention is generally related to a network computing deviceincluding a first processor communicating with a second processor as aproxy for a client device when authenticating access privileges of theclient device. More specifically, the present invention relates to thefirst processor running software to communicate with the secondprocessor as if it were a client device where the software running onthe first processor does not validate the authenticity of the clientdevice.

Description of the Related Art

Client devices attempting to gain access to a resource in a networkedcomputing environment are commonly authenticated before being allowed toaccess data or programs stored at the resource. A client device commonlygains access to a specific resource after sending a request to accessthe resource and after credentials of the client device have beenauthenticated.

The authentication of credentials from a client device may includecommunications between the client device, a gateway or firewall, and anauthentication server. After an authentication process has beencompleted, the gateway or firewall may allow the client device tocommunicate with a computing resource in a networked computingenvironment. The computing resource may be a computer or a server thatis distinct from the authentication server that was communicated withduring the authentication process of the client device.

Information used to authenticate the credentials of a client device mayinclude, yet are not limited to a password, a user name, a securitycertificate, or other information provided by the client device. Theauthentication information provided by the client device may be comparedwith information at or provided by an authentication server. A gatewayor firewall located between the client device and the authenticationserver may also perform an authentication process where credentials of aserver or a client device may be authenticated. In some configurations,a gateway or firewall may act as the authentication server itself.

When additional security is desired the authentication of a clientdevice may be performed after a secure socket layer (SSL) communicationsession has been established. The authentication of the credentials of aclient device may therefore be performed with our without establishingan SSL communication session. When an SSL communication session is used,it is commonly established after establishing a transmission controlprotocol (TCP) session between a client device and a computing device.

Today computing devices including gateways and firewalls commonlyinclude multiple processors (i.e., a multi-processor) where at least oneof the multiple processors may be optimized for performing one or morecontrol functions. In these systems one or more other processors may beoptimized from transferring data between a client device and a computingresource. The functionality of a processor optimized for transferringdata, i.e. a data plane (DP) processor, may process the movement of data(i.e., data traffic) according to a set of access rule or other settingsthat may be configured by a processor optimized for control functions,i.e. a control plane (CP) processor.

Frequently data passing through a gateway or a firewall is administratedby a one or more DP processors. The communication of data through thegateway or firewall may be optimized by using software that is designedto transfer data that includes little or no program code for performingcontrol functions. Similarly, software optimized for performing controlfunctions includes little or no program code that optimizes the transferof data through the gateway or firewall. CP processors may include afull set of operating system (OS) software, where DP processors includean entirely different set program code. A gateway/firewall that includesmultiple processors that may also communicate with a client device usinga single communication path or socket. A socket is an endpointimplemented in software that establishes bidirectional communicationbetween a program that communicates information between a computer orserver and one or more client programs. A socket is known to associate acomputer/server program with a specific logical port on a machine whereit runs such that a client program may communicate with a compute/serverprogram over the socket that is associated with the port.

A client device, therefore, may not communicate simultaneously with a CPprocessor and an DP processor over the single communication pathway.Conventionally if a DP processor is used to authenticate a clientdevice, program code associated with the DP processor must be overlycomplex because it must include all of the software required toauthenticate a client device. Similarly, if a CP processor is used toauthenticate a client device, the CP processor may be overloadedhandling information relating to SSL virtual private network (VPN) datatraffic transmitted between a computing resource and the client deviceafter an authentication process has been completed. In either instance,the performance of the CP processor or the DP processor cannot be fullyoptimized using currently available multi-processor computing systems.

What is needed is a system and a method for optimizing the performanceof CP processors and DP processors in a multi-processor system that doesnot require a DP processor to validate the credentials of a clientdevice and that does not require a CP processor to administrate thetransfer of data through a computing device.

SUMMARY OF THE PRESENTLY CLAIMED INVENTION

The present invention is generally related to a multi-processor systemincluding at least a first processor executing software that isoptimized for administrating the transfer of data and a second processorexecuting software that is optimized for performing control functionswhere the first processor acts as a proxy for the client device when thecredentials of a client device are authenticated

A client device attempting to gain access to resource on a computingnetwork sends an authorization request a first processor in a gatewaythat includes a plurality of processors. After receiving theauthorization request the first processor initiates a socketcommunication pathway to a second processor, and the first processorsends the authorization request to the second processor. After receivingthe authorization request the second processor sends a correspondingrequest to an authentication server, and the authentication serverresponds by sending a response to the second processor.

After receiving the response from the authentication server the secondprocessor sends a communication to the first processor using the socketpathway. After receiving the communication from the second processor thefirst processor forwards the communication to the client device. Whenthe forwarded response authorizes communications between the clientdevice and the computing resource the client device may communicate withthe resource on the computer network.

Communications between the client device and the first processor may becommunicated over a first network communication interface andcommunications between the second processor and the authorization servermay be communicated over a second network communication interface.Communications between the first processor and the second processor mayidentify an internet protocol (IP) address and a port number of theclient device. Communications transmitted through the gateway to therequested computing resource may be communicated through any networkcommunication port at the gateway.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a block diagram of a computing device that may beused to implement various embodiments of the present invention.

FIG. 2 illustrates a client device, a gateway, and authentication servercommunicating according to an exemplary methodology consistent with thedisclosure of the present invention.

FIG. 3 illustrates a method of the present invention that may beimplemented at a computing device including multiple processors in acomputer network.

DETAILED DESCRIPTION

The present invention is generally related to a multi-processor systemincluding at least a first processor executing software that isoptimized for administrating the transfer of data and a second processorexecuting software that is optimized for performing control functionswhere the first processor acts as a proxy for the client device when thecredentials of a client device are authenticated.

The present invention may use secure communications channels using theSecure Socket Layers (SSL) protocol, the Hypertext Transfer ProtocolSecure (HTTPS) protocol (which employs the Secure Socket Layers (SSL)protocol, or the Internet Protocol Security (IPSec) protocol.

FIG. 1 illustrates a block diagram of a computing device that may beused to implement various embodiments of the present invention. FIG. 1illustrates an exemplary computing system 100 that may be used toimplement a computing device with the present technology. Note that FIG.1 is exemplary and that all features shown in the figure may not beincluded in a gateway or a firewall implementing the present invention.System 100 of FIG. 1 may be implemented in the contexts of the likes ofclients and servers. The computing system 100 of FIG. 1 includes one ormore processors 110 and memory 120. Main memory 120 may store, in part,instructions and data for execution by processor 110. Main memory 120can store the executable code when in operation. The system 100 of FIG.1 further includes mass storage 130, which may include resident massstorage and portable storage, antenna 140, output devices 150, userinput devices 160, a display system 170, peripheral devices 180, and I/Odevices 195.

The components shown in FIG. 1 are depicted as being connected via asingle bus 190. However, the components may be connected through one ormore data transport means. For example, processor unit 110 and mainmemory 120 may be connected via a local microprocessor bus, and thestorage 130, peripheral device(s) 180, and display system 170 may beconnected via one or more input/output (I/O) buses.

Mass storage device 130, which may include mass storage implemented witha magnetic disk drive, an optical disk drive, FLASH memory, or be aportable USB data storage device. Mass storage device 130 can store thesystem software for implementing embodiments of the present inventionfor purposes of loading that software into main memory 120. The systemsoftware for implementing embodiments of the present invention may bestored on such a portable medium and input to the computer system 100via the portable storage device.

Antenna 140 may include one or more antennas for communicatingwirelessly with another device. Antenna 140 may be used, for example, tocommunicate wirelessly via Wi-Fi, Bluetooth, with a cellular network, orwith other wireless protocols and systems. The one or more antennas maybe controlled by a processor 110, which may include a controller, totransmit and receive wireless signals. For example, processor 110executes programs stored in memory 120 to control antenna 140, transmita wireless signal to a cellular network, and receive a wireless signalfrom the cellular network.

The system 100 as shown in FIG. 1 includes output devices 150 and inputdevices 160. Examples of suitable output devices include speakers,printers, and monitors. Input devices 160 may include a microphone,accelerometers, a camera, and other devices. Input devices 160 may alsoinclude an alpha-numeric keypad, such as a keyboard, for inputtingalpha-numeric and other information, or a pointing device, such as amouse, a trackball, stylus, or cursor direction keys. I/O devices 195include network interfaces, and touch screens. Network interfaces usedthe present invention may be any computer network (wired or wireless)known in the art, including, yet are not limited to Ethernet, or 802.11.

Display system 170 may include a liquid crystal display (LCD), LEDdisplay, a plasma display, or be another suitable display device.Display system 170 receives textual and graphical information, andprocesses the information for output to the display device.

Peripherals 180 may include any type of computer support device to addadditional functionality to the computer system. For example, peripheraldevice(s) 180 may include a modem or a router.

The components contained in the computer system 100 of FIG. 1 are thosetypically found in computing system, such as but not limited to agateway, a firewall, a desktop computer, a laptop computer, a notebookcomputer, a netbook computer, a tablet computer, a smart phone, apersonal data assistant (PDA), or other computer that may be suitablefor use with embodiments of the present invention and are intended torepresent a broad category of such computer components that are wellknown in the art. Thus, the computer system 100 of FIG. 1 can be apersonal computer, hand held computing device, telephone, mobilecomputing device, workstation, server, minicomputer, mainframe computer,gateway, firewall, or any other computing device. The computer can alsoinclude different bus configurations, networked platforms,multi-processor platforms, etc. Various operating systems can be usedincluding but not limited to Unix, Linux, Windows, Macintosh OS, PalmOS, Android OS, and Apple iOS.

FIG. 2 illustrates a client device, a gateway, and authentication servercommunicating according to an exemplary methodology consistent with thedisclosure of the present invention. The gateway 220 in FIG. 2 includesa first processor DP 230 and a second processor CP 240. The firstprocessor DP 230 executes software out of memory that is optimized forcommunicating data between computing resource 260 on and the clientdevice 210 after credentials of the client device 210 have beenvalidated by authentication server 250. The second processor CP executessoftware out of memory that is optimized for control functions executedby the gateway. Software operating on the first processor DP 230 maycommunicate with the second processor CP 240 when the credentials of theclient device are being validated. Processor DP230 may communicate withthe second processor CP 240 using a socket or other remote procedurecommunication (RPC). The DP processor and the CP processor may beintegrated within a single multi-processor package that include one ormore silicon chips, i.e. dies where each chip/die may include one ormore processors. The multi-processor package may be a multi-chip module.The multiple processors in gateway 220 may include one or moreprocessors assembled into one or more packages and may include one ormore multi-chip modules.

The gateway of FIG. 2 may communicate with an authentication server 250when the credentials of a client device are being authenticated. Afterthe credentials of a client device have been authenticated to accessdata on computing resource 260, data may be transmitted though thegateway 220 between the client device 210 and the computing resource260.

FIG. 2 also includes a series of steps that may be performed accordingto an embodiment of the present invention. Client device 210 using aninternet protocol address (IP) 1.1.1.1 communicates with the gateway 220over port 1234 (i.e., IP address and port 1.1.1.1:1234) at the clientdevice 210 and over a port at the gateway 220. The gateway in FIG. 2uses IP address and port 2.2.2.2:443. The gateway 240 is depicted ascommunicating with an authentication server 250 over a second port atthe gateway 240 and over a port at the authentication server 250. The IPaddress and port of the authentication server in FIG. 2 is 3.3.3.3:1812.

FIG. 2 illustrates the client device 210 sending an authorizationrequest 1 to a DP processor 230 in gateway 220. The DP processor thenforwards this authentication request 2 to the CP processor 240 ingateway 240, after which the CP processor 240 sends a correspondingauthentication request 3 to the authentication server 250. In anembodiment of the invention the DP processor communicates with the CPprocessor using the IP address and port number of the client device. Inthis instance the DP processor acts as a transparent proxy for theclient device. The CP processor may be entirely unaware that the DPprocessor is acting as a transparent proxy.

After the authentication server 250 has received the authenticationrequest from the CP processor, the authentication server 250 sends anauthentication response 4 to the CP processor, and then the CP processorsends the authentication response 5 to the DP processor 230. Next the DPprocessor forwards the authentication response 6 to the client device210. When the authentication response 6 authorizes communicationsbetween the client device and the computing resource 260 data traffic 7flow between the computing resource 260 and the client device 210 mayoccur according one or more access rules or other settings set insoftware executed by the DP processor 230.

FIG. 3 illustrates a method of the present invention that may beimplemented at a computing device including multiple processors in acomputer network. Step 310 is where a processor in a computing devicereceives a request to initiate secure communications over a securesocket layer (SSL) session. In step 320, the first processor at thecomputing device receives a request from a client device to gain accessto computing resources at a computing network. The request in step 320may include one or more communications and may include credentials usedto validate the authenticity of the client device or a user using theclient device. The credentials provided by a client device may include,yet are not limited to a password, a user name, a security certificate,or other information provided by the client device.

In step 330 a connection is created between the first processor and asecond processor at the computing device. The connection may be a socketconnection where the first processor acts as a proxy for the clientdevice by representing itself as the client device by using an IPaddress and a port number associated with the client device. The firstprocessor may then forward the authentication request to the secondprocessor using the IP address and the port number associated with theclient device is step 340 of the flow chart. Then in step 350 the secondprocessor transmits a corresponding authentication request to anauthentication server over a second network communication interface. Theauthentication request transmitted to the authentication server in step350 may include some or all of the authentication information providedby the client device.

Then in step 360 a response to the authentication request is received bythe second processor, and in step 370 a corresponding response messageis sent to the first processor. The corresponding response message sentto the first processor in step 370 may include the IP address and the IPport number of the client device. The first processor then forwards thecorresponding response message to the client device in step 380 of themethod of FIG. 3. In step 390 the client device and the requestedresource communicate with each other through the computing device.

The various methods may be performed by software operating inconjunction with hardware. For example, instructions executed by aprocessor, the instructions otherwise stored in a non-transitorycomputer readable medium such as memory. Various interfaces may beimplemented—both communications and interface. One skilled in the artwill appreciate the various requisite components of a mobile device andintegration of the same with one or more of the foregoing figures and/ordescriptions.

While various embodiments have been described above, it should beunderstood that they have been presented by way of example only, and notlimitation. The description are not intended to limit the scope of thepresently claimed invention or to limit the scope of embodiments of thepresent invention. The present descriptions are intended to coveralternatives, modifications, and equivalents consistent with the spiritand scope of the disclosure.

1. A method for proxy authentication, the method comprising: receivingan authentication request at a first processor of a multi-processorcomputing device, the authentication request sent by a client device inorder to access computing resources of a computing network; forwardingthe authentication request from the first processor to a secondprocessor of the multi-processor computing device, the second processorexecuting software to authenticate the client device; forwarding anauthentication response from the second processor to the firstprocessor; and enabling the client device to access the computingresources of the computing network when the authentication responseindicates that the client device is authorized, wherein the firstprocessor executes software to process data transfer to the clientdevice.
 2. The method of claim 1, further comprising establishing aconnection between the first processor and the second processor, whereinthe authentication request is forwarded from the first processor to thesecond processor over the established connection, and wherein theauthentication response is forwarded from the second processor to thefirst processor over the established connection.
 3. The method of claim2, wherein the established connection is a socket connection, andwherein the first processor uses an internet protocol address and a portnumber associated with the client device to forward the authenticationrequest to the second processor.
 4. The method of claim 1, wherein theauthentication request includes credentials, and wherein the clientdevice is validated when the credentials match credential informationstored at an authentication server.
 5. The method of claim 1, furthercomprising receiving a request to initiate secure communications over asecure socket layer at the multi-processor computing device, the requestreceived prior to receiving the authentication request.
 6. The method ofclaim 1, wherein enabling the client device to access the computingresources of the computing network is based on an access rule defined inthe first software.
 7. A non-transitory computer-readable storagemedium, having embodied thereon a program comprising instructionsexecutable by a processor to perform a method for proxy authentication,the method comprising: receiving an authentication request at a firstprocessor of a multi-processor computing device, the authenticationrequest sent by a client device in order to access computing resourcesof a computing network; forwarding the authentication request from thefirst processor to a second processor of the multi-processor computingdevice, the second processor executing software to authenticate theclient device; forwarding an authentication response from the secondprocessor to the first processor; and enabling the client device toaccess the computing resources of the computing network when theauthentication response indicates that the client device is authorized,wherein the first processor executes software to process data transferto the client device.
 8. The non-transitory computer readable medium ofclaim 7, further comprising instructions executable to establish aconnection between the first processor and the second processor, whereinthe authentication request is forwarded from the first processor to thesecond processor over the established connection, and wherein theauthentication response is forwarded from the second processor to thefirst processor over the established connection.
 9. The non-transitorycomputer readable medium of claim 8, wherein the established connectionis a socket connection, and wherein the first processor uses an internetprotocol address and a port number associated with the client device toforward the authentication request to the second processor.
 10. Thenon-transitory computer readable medium of claim 7, wherein theauthentication request includes credentials, and wherein the clientdevice is validated when the credentials match credential informationstored at an authentication server.
 11. The non-transitory computerreadable medium of claim 7, further comprising receiving a request toinitiate secure communications over a secure socket layer at themulti-processor computing device, the request received prior toreceiving the authentication request.
 12. The non-transitory computerreadable medium of claim 7, wherein enabling the client device to accessthe computing resources of the computing network is based on an accessrule defined in the first software.
 13. A system for proxyauthentication, the system comprising: a computing network server thathosts computing resources; and a multi-processor computing devicecomprising: a first processor that receives an authentication requestsent by a client device in order to access computing resources of acomputing network; and a second processor that: receives theauthentication request forwarded by the first processor, executessoftware to authenticate the client device, and forwards anauthentication response to the first processor; wherein the firstprocessor executes software to process data transfer to the clientdevice when the authentication response indicates that the client deviceis authorized, thereby enabling the client device to access thecomputing resources of the computing network.
 14. The system of claim13, wherein the multi-processor computing device further establishes aconnection between the first processor and the second processor, whereinthe authentication request is forwarded from the first processor to thesecond processor over the established connection, and wherein theauthentication response is forwarded from the second processor to thefirst processor over the established connection.
 15. The system of claim14, wherein the established connection is a socket connection, whereinthe first processor uses an internet protocol address and a port numberassociated with the client device to forward the authentication requestto the second processor.
 16. The system of claim 13, wherein theauthentication request includes credentials, and wherein the clientdevice is validated when the credentials match credential informationstored at an authentication server.
 17. The system of claim 13, whereinthe multi-processor computing device further receives a request toinitiate secure communications over a secure socket layer at themulti-processor computing device, the request received prior toreceiving the authentication request.
 18. The system of claim 13,wherein enabling the client device to access the computing resources ofthe computing network is based on an access rule defined in the firstsoftware.